Goals
The goal is to revoke a CRLG certificate from the SCMS System.
Background and Strategic Fit
A CRL Generator (CRLG) can only be revoked by a root CA. In a situation where a CRLG has been compromised or has failed, the TCotSCMSM must activate a root CA and use it to sign a Series 256 CRL listing the compromised CRLG as revoked. This file must then be copied to the CRL Store for distribution to all components.
On receipt of a CRL signed by a root CA and listing a CRLG as revoked, the CRL Store must create a new composite CRL that contains:
- All non-expired, Elector-signed, root-management messages
- The new root CA signed CRL listing a CRLG as revoked
- Any other non-expired root CA signed CRLs
- Any CRLs signed by other, no-revoked, non-expired CRLGs
This new composite CRL shall be distributed to all components.
The MA shall no longer the use revoked CRLG to sign CRLs (the procedure for adding a new CRLG will update the MA with the address and TLS certificate of the new CRLG).
Assumptions
- In the SCMS design, there may be more than one CRLG. However, for the Proof of Concept (PoC) deployment, there will be a single, central CRLG.
- The SCMS requires a valid CRLG in order to sustain operation. If the only active CRLG is revoked, the TCotSCMSM must initiate the process of adding a new CRLG (or re-certifying the existing CRLG) using the procedure described in the Add CRLG use case.
- After receipt of the new CRL signed by a root CA listing a CRLG as revoked, all components and EE shall cease to process any CRL signed by the revoked CRLG.
- Components will have no reliable way to know the sequence in which valid or fraudulent revocation messages were created. Therefore, there is no effective way to "un-revoke" components previously placed on the CRL by a compromised CRLG. All previously revoked components will need to be re-certified with new certificates in order to restore trust.
- The procedure for interacting with the CRL Store and assembling a new composite CRL is implementation specific. There are no standard SCMS messages or procedures for performing this function.